gcp/service/cloud_security_scanner by Om46-coder · Pull Request #373 · Hardhat-Enterprises/Policy-Deployment-Engine

Om46-coder · 2026-05-07T04:30:31Z

Summary

Added policies for the Terraform resource google_security_scanner_scan_config.

Implemented policy checks for:

starting_urls
max_qps
export_to_security_command_center
authentication.custom_account.login_url
blacklist_patterns

Documentation

Added documentation explaining:

Why each policy argument was included
Why other Terraform arguments were excluded
Security justification for each policy
Testing approach using compliant and non-compliant Terraform files

Documentation file:

docs/gcp/Cloud_Security_Scanner/google_security_scanner_scan_config.md

Testing

Tested each policy using:

compliant Terraform file: c.tf
non-compliant Terraform file: nc.tf
terraform plan -out=tfplan
terraform show -json tfplan
opa eval

github-actions · 2026-05-07T04:31:06Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: non-compliant-security-scanner', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: non-compliant-security-scanner', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: non-compliant-security-scanner', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: starting_urls - ❌
    Policy: max_qps - ❌
    Policy: blacklist_patterns - ❌
    Policy: export_to_security_command_center - ❌
    Policy: custom_account_login_url - ❌


Failures:
Service: cloud_security_scanner | Resource: google_security_scanner_scan_config | Policy: starting_urls
Unmentioned resources other than 'c' found: nc

Service: cloud_security_scanner | Resource: google_security_scanner_scan_config | Policy: max_qps
Unmentioned resources other than 'c' found: nc

Service: cloud_security_scanner | Resource: google_security_scanner_scan_config | Policy: blacklist_patterns
Unmentioned resources other than 'c' found: nc

Service: cloud_security_scanner | Resource: google_security_scanner_scan_config | Policy: export_to_security_command_center
Unmentioned resources other than 'c' found: nc

Service: cloud_security_scanner | Resource: google_security_scanner_scan_config | Policy: custom_account_login_url
Unmentioned resources other than 'c' found: nc

github-actions · 2026-05-07T04:49:16Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: starting_urls - ✅
    Policy: max_qps - ✅
    Policy: blacklist_patterns - ✅
    Policy: export_to_security_command_center - ✅
    Policy: custom_account_login_url - ✅

github-actions · 2026-05-11T01:02:06Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: starting_urls - ✅
    Policy: max_qps - ✅
    Policy: blacklist_patterns - ✅
    Policy: export_to_security_command_center - ✅
    Policy: custom_account_login_url - ✅

Sundi202 · 2026-05-13T12:50:35Z

Hi could you please include your json doc as well.

Sundi202 · 2026-05-13T12:51:52Z

Did you generate your plan.json?

Sundi202 · 2026-05-13T12:52:46Z

+		"condition": "starting_urls must not use insecure HTTP",
+		"attribute_path": ["starting_urls", 0],
+		"values": ["http://example.com"],
+		"policy_type": "blacklist",


Use pattern blacklist for this.

Sundi202

Hi your json document is missing and it seems like you did not generate a plan.json in your input folder because your terraform.lock is missing

github-actions · 2026-05-14T05:56:44Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: starting_urls - ❌
    Policy: max_qps - ✅
    Policy: blacklist_patterns - ✅
    Policy: export_to_security_command_center - ✅
    Policy: custom_account_login_url - ✅


Failures:
Service: cloud_security_scanner | Resource: google_security_scanner_scan_config | Policy: starting_urls
Unmentioned resources other than 'c' found: nc

github-actions · 2026-05-14T06:08:30Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: starting_urls - ✅
    Policy: max_qps - ✅
    Policy: blacklist_patterns - ✅
    Policy: export_to_security_command_center - ✅
    Policy: custom_account_login_url - ✅

Sundi202 · 2026-05-18T14:16:00Z

Hi please give this file a relatable policy name.

github-actions · 2026-05-19T06:04:05Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 0
 Missing mentions: compliant_blacklist_patterns, non_compliant_blacklist_patterns
Check failed: Unmentioned resources other than 'c' found: compliant_blacklist_patterns, non_compliant_blacklist_patterns

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: export_to_security_command_center - ✅
    Policy: blacklist_patterns - ❌
    Policy: max_qps - ✅
    Policy: custom_account_login_url - ✅
    Policy: starting_urls - ✅


Failures:
Service: cloud_security_scanner | Resource: google_security_scanner_scan_config | Policy: blacklist_patterns
Unmentioned resources other than 'c' found: compliant_blacklist_patterns, non_compliant_blacklist_patterns

github-actions · 2026-05-19T06:15:55Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: export_to_security_command_center - ✅
    Policy: blacklist_patterns - ✅
    Policy: max_qps - ✅
    Policy: custom_account_login_url - ✅
    Policy: starting_urls - ✅

Sundi202 · 2026-05-21T12:52:13Z

Wrong config.tf file

Sundi202 · 2026-05-21T12:53:48Z

wrong config.tf file

Sundi202 · 2026-05-21T12:55:14Z

@@ -0,0 +1,6 @@
+resource "google_security_scanner_scan_config" "c" {
+  provider         = google-beta


values should match your c and nc attributes except the complaint and non-complaint values

Sundi202

Please resolve all comments and include the doc json file.

github-actions · 2026-05-23T06:57:32Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: export_to_security_command_center - ✅
    Policy: blacklist_patterns - ✅
    Policy: max_qps - ✅
    Policy: custom_account_login_url - ✅
    Policy: starting_urls - ✅

github-actions · 2026-05-23T07:23:15Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: export_to_security_command_center - ✅
    Policy: blacklist_patterns - ✅
    Policy: max_qps - ✅
    Policy: custom_account_login_url - ✅
    Policy: starting_urls - ✅

Sundi202 · 2026-05-24T04:47:50Z

Missing security impact and rationale

Sundi202 · 2026-05-24T04:48:30Z

Missing security impact and rationale

Sundi202

Resolve all comments

github-actions · 2026-05-25T04:32:01Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: export_to_security_command_center - ✅
    Policy: blacklist_patterns - ✅
    Policy: max_qps - ✅
    Policy: custom_account_login_url - ✅
    Policy: starting_urls - ✅

Add Cloud Security Scanner scan config policies

768dd68

Fix Cloud Security Scanner policy check output

3903f3d

Merge branch 'dev' into gcp/service/cloud_security_scanner

a89815c

github-actions Bot added the CI-Approved PR approved by CI checks label May 11, 2026

Sundi202 self-assigned this May 13, 2026

Sundi202 added the 1st review label May 13, 2026

Sundi202 reviewed May 13, 2026

View reviewed changes

Sundi202 requested changes May 13, 2026

View reviewed changes

Address Cloud Security Scanner review comments

a6cecce

github-actions Bot added CI-Review-Required PR requires review due to failed CI checks and removed CI-Approved PR approved by CI checks labels May 14, 2026

Fix starting_urls pattern blacklist syntax

19c770d

github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 14, 2026

Sundi202 added the 2nd review label May 18, 2026

Sundi202 reviewed May 18, 2026

View reviewed changes

Address Cloud Security Scanner review comments

c5570cd

github-actions Bot added CI-Review-Required PR requires review due to failed CI checks and removed CI-Approved PR approved by CI checks labels May 19, 2026

Changes done

cb86d09

github-actions Bot removed the CI-Review-Required PR requires review due to failed CI checks label May 19, 2026

github-actions Bot added the CI-Approved PR approved by CI checks label May 19, 2026

Sundi202 reviewed May 21, 2026

View reviewed changes

Sundi202 requested changes May 21, 2026

View reviewed changes

Updated the input files based on feedback

bb51c37

Updated Cloud Security Scanner resource JSON

9c41ce7

Sundi202 reviewed May 24, 2026

View reviewed changes

Sundi202 requested changes May 24, 2026

View reviewed changes

Sundi202 added the 3rd review label May 24, 2026

Resolved missing security impact and rationale in resource JSON file

886c6a3

		@@ -0,0 +1,6 @@
		resource "google_security_scanner_scan_config" "c" {
		provider = google-beta

Conversation

Om46-coder commented May 7, 2026

Summary

Documentation

Testing

Uh oh!

github-actions Bot commented May 7, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 7, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 11, 2026

🔍 Policy Check Results

Test Output

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Sundi202 left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented May 14, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 14, 2026

🔍 Policy Check Results

Test Output

Uh oh!

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented May 19, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 19, 2026

🔍 Policy Check Results

Test Output

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Sundi202 left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented May 23, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 23, 2026

🔍 Policy Check Results

Test Output

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Sundi202 left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented May 25, 2026

🔍 Policy Check Results

Test Output

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!